search

eclipse-pass / pass-docker

Developer-focused PASS runtime, which provides PASS and all of its dependent services using docker-compose. Provides Docker images used for production deployment of PASS.
Apache License 2.0
0 stars 16 forks source link

Change CORS Access Control headers in proxy server #360

Closed rpoet-jh closed 9 months ago

rpoet-jh commented 9 months ago

The Access-Control-Allow-Origin header was set to * allowing any domain to make a CORS request. I have changed this so that the Access-Control-Allow-Origin will be set to https://domainname.

I also removed the access control headers since allowing the browser to default is recommended. Additionally, I didn't see any requests where a header named authorization was being returned, so the Access-Control-Expose-Headers appeared to be not relevant to PASS.

I tested these changes locally and on stage, and logging into pass worked fine.

rpoet-jh commented 9 months ago

Looks good. I was wondering about pass-data-client, but CORS should not apply to those requests because they won't have an origin header set.

Right, the deposit/notification services and data loaders that use pass-data-client actually communicate directly with pass-core:8080 bypassing the proxy/auth containers. CORS enforcement is mainly a function of the browser, so this seem ok.